Privacy Issues Airports

Transcription

1 Privacy and Data Breaches A GROWING AIRPORT CONCERN Dominic Nessi Los Angeles World Airports

2 Privacy in General There is none Google and other search engines, cookies Growth of on-line commerce Social media Mobile devices Vehicle tracking Traffic cameras Medical information

3 Privacy in General RIGHT OF PRIVACY. : the qualified legal right of a person to have reasonable privacy in not having his private affairs made known or his likeness exhibited to the public having regard to his habits, mode of living, and occupation. Personal Identifiable information (PII) as "any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual s identity, such as name, social security number, date and place of birth, mother s maiden name, or biometric records; and (2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information." So, for example, a user's IP address as used in a communication exchange is classed as PII regardless of whether it may or may not on its own be able to uniquely identify a person. From an IT perspective, we use the Privacy Act of 1974, FISMA, the Electronic Communications Act, Computer Fraud and Abuse Act and HIPAA to guide our actions.

4 Six Privacy Issues Airports Must Consider Data Breaches should be high on an airport s priority list Prevention measures Compartmentalize personal information Access control Encrypt when storing, and transmitting over public networks Encrypt data on mobile devices Mobile device management Mitigation measures 1

5

6 Six Privacy Issues Airports Must Consider Data Leakage should also be high on an airport s priority list Prevention measures Organizational policies that limit an employee s ability to take PII home Disabling USB drives Mitigation measures Remote wiping a device 2

7 Six Privacy Issues Airports Must Consider Location based services use personal information LBS comes from many sources GPS, cell towers, wireless access points, indoor positioning, IP addresses, MAC addresses This is a growing area of concern as airports track wait times, based on mobile devices Mobile devices track locations, could be used to determine shopping and eating patterns Police and parking facilities track license plates Many providers are still in a collect phase Collect only what you need 3

8 Six Privacy Issues Airports Must Consider Cloud Computing Challenges Traditional Legal and Technical Privacy Protection Airports are increasingly considering cloud solutions By definition, cloud computing and privacy are at odds Privacy laws relate to a single country cloud computing often crosses national boundaries Privacy laws are evolving slowly in this area Focus on the corporate headquarters of the provider, not the location of the data itself Sensitive information should not leave the country public safety records, CCTV images, credentialing systems Other data can be stored outside the country, but beware of countries known for privacy violations Cloud technology and privacy can co-exist but it needs to be thought out 4

9 Six Privacy Issues Airports Must Consider The Value of Privacy Determines the Level of Protection Airports maintain a great deal of privacy information human resources, credentialing, POS, CCTV, Law Enforcement records, ALPR, medical information Finding the balance between not enough protection and too much is difficult Don t just use legal requirements slow to evolve and trail technology and social changes Data in each system must be classified 5

10 Six Privacy Issues Airports Must Consider Regulatory Changes are Ongoing Absent of specific laws, airports must interpret general privacy laws and general privacy legislation This is especially true for emerging technologies such as smart meters, indoor positioning, facial recognition, vehicle and device location 6

11 The following laws effecting privacy were proposed and are pending consideration before the U.S. House or Senate or were proposed, but not enacted: S Cybersecurity Information Sharing Act (CISA), pending, introduced in the U.S. Senate on July 10, H.R. 3523, H.R. 624 Cyber Intelligence Sharing and Protection Act (CISPA), pending, introduced in and passed by the U.S. House in 2012, reintroduced in and passed by the U.S. House in 2013, pending before the U.S. Senate. H.R Precise Act, reported by committee April 18, 2012 by Representative Dan Lungren (R-CA), but not enacted. The bill changed as "Lungren dropped many of the critical infrastructure and DHS provisions" due to the house. H.R Federal Information Security Amendment Act of 2012, reported by committee April 18, 2012 by Representative Darrell Issa (R-CA), but not enacted. S Secure IT, introduced by Senator John McCain (R-AZ) on March 1, 2012, but was not enacted.

12 S Cybersecurity Act, reported by committee on February 15, Sponsored by Senator Joseph Lieberman (I-CT). Failing to gain enough support for passage, the bill, entitled "Cybersecurity Act of 2012" (S. 3414), was reintroduced on July 19, 2012 in a revised form which omitted federal imposition of security standards on IP providers, as well as including stronger privacy and civil liberties protections. The revised bill was not enacted. In 2015 S (Consumer Privacy Protection Act) would establish a federal security breach notification law and provides protection for many types of data including social security numbers, financial account information, online usernames and passwords, unique biometric data (including fingerprints), information about a person's physical and mental health, information about a person's geo-location, and access to private digital photographs and videos. The bill would preempt weaker state laws while leaving stronger state privacy laws in place. H.R (Student Digital Privacy and Parental Rights Act) would prohibit operators of websites, applications and other online services from selling students' personal information to third parties and using or disclosing students' personal information to tailor advertising to them. S. 668 (Data Broker Accountability and Transparency Act) would, among other things: require data brokers to establish procedures to ensure the accuracy of the personal information they collect, assemble, or maintain.

13 Questions Before asking a question, please identify yourself, provide your birth date, social security number, and a credit card number